TryHackMe: Nmap Basic Port Scans Writeup
This room aims to teach in-depth how Nmap TCP connect scan, TCP SYN port scan, and UDP port scan work. This room can be accessed at: https://tryhackme.com/room/nmap02
Task 1: Introduction
- Launch the AttackBox by using the Start AttackBox button. You will launch different types of scans against the target VM to gain a solid knowledge of Nmap basic scan types. Answer: No answer needed
Task 2: TCP and UDP Ports
Nmap considers the following six states:
- Open: indicates that a service is listening on the specified port.
- Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
- Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
- Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan
- Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
- Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
- Which service uses UDP port 53 by default? Answer: DNS
- Which service uses TCP port 22 by default? Answer: SSH
- How many port states does Nmap consider? Answer: 6
- Which port state is the most interesting to discover as a pentester? Answer: Open
Task 3: TCP Flags
The TCP header flags are:
- URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
- ACK: The acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
- PSH: Push flag asking TCP to pass the data to the application promptly.
- RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
- SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
- FIN: The sender has no more data to send.
- What 3 letters represent the Reset flag? Answer: RST
- Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)? Answer: SYN
Task 4: TCP Connect Scan
We can choose to run TCP connect scan using
- Launch the VM. Open the AttackBox and execute
nmap -sT MACHINE_IPvia the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM? Answer: 110
- What is Nmap’s guess about the newly installed service? Answer: pop3
Task 5: TCP SYN Scan
We can select this scan type by using the
- Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute
nmap -sS MACHINE_IP. What is the new open port? Answer: 6667
- What is Nmap’s guess of the service name? Answer: irc
Task 6: UDP Scan
- Launch the VM. On the AttackBox, use the terminal to execute
nmap -sU -F -v MACHINE_IP. A new service has been installed since the last scan. What is the UDP port that is now open? Answer: 53
- What is the service name according to Nmap? Answer: domain
Task 7: Fine-Tuning Scope and Performance
We can specify the ports you want to scan instead of the default 1000 ports. Specifying the ports is intuitive by now. Let’s see some examples:
- port list:
-p22,80,443will scan ports 22, 80 and 443.
- port range:
-p1-1023will scan all ports between 1 and 1023 inclusive, while
-p20-25will scan ports between 20 and 25 inclusive.
We can request the scan of all ports by using
-p-, which will scan all 65535 ports. If we want to scan the most common 100 ports, add
--top-ports 10 will check the ten most common ports.
We can control the scan timing using
-T0 is the slowest (paranoid), while
-T5 is the fastest. According to Nmap manual page, there are six templates:
- paranoid (0)
- sneaky (1)
- polite (2)
- normal (3)
- aggressive (4)
- insane (5)
Alternatively, we can choose to control the packet rate using
--min-rate <number> and
--max-rate <number>. For example,
--max-rate 10 or
--max-rate=10 ensures that our scanner is not sending more than ten packets per second.
Moreover, we can control probing parallelization using
--min-parallelism <numprobes> and
--max-parallelism <numprobes>. Nmap probes the targets to discover which hosts are live and which ports are open; probing parallelization specifies the number of such probes that can be run in parallel. For instance,
--min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel; these 512 probes are related to host discovery and open ports.
- What is the option to scan all the TCP ports between 5000 and 5500? Answer: -p5000–5500
- How can you ensure that Nmap will run at least 64 probes in parallel? Answer: — min-parallelism 64
- What option would you add to make Nmap very slow and paranoid? Answer: -T0
Task 8: Summary
- Ensure you have taken note of all the scan options covered in this room. It is time to learn more advanced port scanning techniques by joining the Nmap Advanced Port Scans room. Answer: No answer needed